Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] ECC CA Certificate not accepted for EAP?

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] ECC CA Certificate not accepted for EAP?

Chronological Thread  
    < Chronological >       < Thread >
  • From: Martin Stanislav <address@concealed>
  • To: Klaus Steinberger <address@concealed>
  • Cc: address@concealed
  • Subject: Re: [[cat-users]] ECC CA Certificate not accepted for EAP?
  • Date: Wed, 7 Jan 2026 15:30:23 +0100
Hi Klaus,

Since you indend to use HARICA (TCS) to issue certificates for EAP server,
please have a look at the information present at GÉANT wiki [1].
Section "HARICA certificates issued by the GÉANT Certificate Service"
is likely to be of use in this matter.

In general, eduroam CAT portal will not accept / publish
a configuration profile that is completely missing a root CA certificate.

If this is concerning "LMU Munich Physics" configuration profile
published via eduroam CAT portal, may I suggest to only keep
the root CA certificate(s) in this profile and let the EAP server
provide any intermediate CA certificates that the clients
(802.1X supplicants) need to build a chain of trust?
E.g. you neither need to keep "GEANT TLS ECC 1" nor
"HARICA TLS ECC Root CA 2021" that is cross-signed by 2015 root CA
in the profile. EAP server can provide the intermediate CA certificate(s)
together with its server certificate to all clients.

Kind regards,
Martin

[1] EAP Server Certificate considerations

https://wiki.geant.org/spaces/H2eduroam/pages/121346323/EAP+Server+Certificate+considerations

On Wed, Jan 07, 2026 at 12:17:29PM +0100, Klaus Steinberger wrote:
> Hi,
>
> we created new certificates for our radius servers with harica and ECC, but
> when I add the ECC Root CA Certificate i get the following errors:
>
> Warning! Supported EAP Type: PEAP-MSCHAPv2 is missing required
> information
> CA Certificate File !
> The EAP type was added to the profile, but you need to complete the missing
> information before we can produce installers for you.
> Warning! Supported EAP Type: TTLS-MSCHAPv2 is missing required
> information
> CA Certificate File !
> The EAP type was added to the profile, but you need to complete the missing
> information before we can produce installers for you.
> Warning! Supported EAP Type: TTLS-PAP is missing required information
> CA
> Certificate File !
> The EAP type was added to the profile, but you need to complete the missing
> information before we can produce installers for you.
>
>
> I then added the RSA CA Certificate which is accepted without error. I hope
> this is working as an workaround, as the cat website also packs the ecc
> Certificates in the download.
>
> Sincerly,
> Klaus Steinberger

> BEGIN:VCARD
> VERSION:4.0
> N:Steinberger;Klaus;;;
> EMAIL;PREF=1;TYPE=work:address@concealed
> URL;TYPE=work:https://www.it.physik.uni-muenchen.de
> ADR;TYPE=work:;;Schellingstr. 4;München;;80799;
> TEL;TYPE=work;VALUE=TEXT:+49 89 2180 13502
> IMPP:matrix:@lu65vad:matrix.lmu.de
> ORG:Ludwig Maximilians Universität;Fakultät Physik\, Rechnerbetriebsgrupp
> e
> END:VCARD




Archive powered by MHonArc 2.6.24.

Top of Page